ACH provides internal medicine physicians to hospitals and nursing homes in west central Florida, and provides services to more than 20,000 patients annually. The latest announcement form HHS details an incident where ACH shared protected health information (PHI) with an unknown vendor without a business associate agreement (BAA).

The incident occurred between November 2011 and June 2012. ACH engaged the services of an individual that claiming to be a representative of a Florida-based company named Doctor’s First Choice Billings, Inc. (First Choice). The individual provided medical billing services to ACH using First Choice’s name and website, but allegedly without any knowledge or permission of First Choice’s owner.

On February 11, 2014, a local hospital notified ACH that patient names, dates of birth, and social security numbers had been published on the First Choice website. ACH was able to identify at least 400 affected individuals and asked First Choice to remove the protected health information from its website. ACH further filed a breach report with OCR stating that an additional 8,855 patients could have been affected.

OCR’s investigation revealed that ACH did not enter into a business associate agreement (BAA) with the medical billing service, and failed to adopt any policy requiring business associate agreements until April 2014. Additionally, ACH had not conducted risk analysis or developed any written HIPAA policies or procedures before 2014.

Under the latest corrective action plan, ACH agrees to adopt of business associate agreements, conduct enterprise-wide risk analysis, and implement policies and procedures to comply with HIPAA Rules.

What Does This Violation Mean?

HIPAA violations can occur from some of the most basic issues. In this case, a single unsigned Business Associates Agreement (BAA) led to protected health information being compromised and a large fine. Organizations must have administrative policies in place and know what they mean. Setting administrative policies and standard operating procedures would have prevented the sharing of PHI with unauthorized 3rd parties.

How Can Dash Help?

Unlike many solutions which address either technical controls or administrative controls, Dash empowers users to customize and create policies then enforce those policies via continuous compliance monitoring. For this specific violation, the Dash Risk Management Policy would cover specifics on how to conduct risk analysis and address 3rd party contractors and vendors. By connecting this policy to IAM role related monitoring and the System Access Policy, Dash users can proactively set security controls and prevent this exact issue.